package cn.cloud.all.security.oauth2.client.provider;

import cn.cloud.all.security.access.AccessDeniedException;
import cn.cloud.all.security.oauth2.client.exception.OAuth2AccessDeniedException;
import cn.cloud.all.security.oauth2.client.exception.UserRedirectRequiredException;
import cn.cloud.all.security.oauth2.client.token.AccessTokenRequest;
import cn.cloud.all.security.oauth2.common.DefaultOAuth2AccessToken;
import cn.cloud.all.security.oauth2.common.OAuth2AccessToken;
import cn.cloud.all.security.oauth2.common.OAuth2RefreshToken;
import cn.cloud.all.security.oauth2.common.util.OAuth2Utils;
import cn.cloud.all.security.oauth2.resource.ImplicitResourceDetails;
import cn.cloud.all.security.oauth2.resource.OAuth2ProtectedResourceDetails;
import org.springframework.http.HttpHeaders;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.ResponseExtractor;

import java.io.IOException;
import java.net.URI;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;

/**
 * Provider for obtaining an oauth2 access token by using implicit grant. Normally the implicit grant is used by script
 * clients in a browser or device, but it can also be useful for native clients generally, so if those clients were
 * written in Java this would be a nice convenience. Web application clients are also a possiblity, although the
 * authorization code grant type is probably more common there, and requires no special customizations on the
 * authorization server. Callers add any additional form parameters they need to the {@link DefaultAccessTokenRequest}
 * and these will be passed onto the authorization endpoint on the server. The server then has to interpret those
 * parameters, together with any other information available (e.g. from a cookie), and decide if a user can be
 * authenticated and if the user has approved the grant of the access token. Only if those two conditions are met should
 * an access token be available through this provider.
 *
 * @author Dave Syer
 */
public class ImplicitAccessTokenProvider extends OAuth2AccessTokenSupport implements AccessTokenProvider {

    public boolean supportsResource(OAuth2ProtectedResourceDetails resource) {
        return resource instanceof ImplicitResourceDetails && "implicit".equals(resource.getGrantType());
    }

    public boolean supportsRefresh(OAuth2ProtectedResourceDetails resource) {
        return false;
    }

    public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails resource,
                                                OAuth2RefreshToken refreshToken, AccessTokenRequest request) throws UserRedirectRequiredException {
        return null;
    }

    public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails details, AccessTokenRequest request)
            throws UserRedirectRequiredException, AccessDeniedException, OAuth2AccessDeniedException {

        ImplicitResourceDetails resource = (ImplicitResourceDetails) details;
        try {
            // We can assume here that the request contains all the parameters needed for authentication etc.
            OAuth2AccessToken token = retrieveToken(request,
                    resource, getParametersForTokenRequest(resource, request), getHeadersForTokenRequest(request));
            if (token == null) {
                // Probably an authenticated request, but approval is required.  TODO: prompt somehow?
                throw new UserRedirectRequiredException(resource.getUserAuthorizationUri(), request.toSingleValueMap());
            }
            return token;
        } catch (UserRedirectRequiredException e) {
            // ... but if it doesn't then capture the request parameters for the redirect
            throw new UserRedirectRequiredException(e.getRedirectUri(), request.toSingleValueMap());
        }

    }

    @Override
    protected ResponseExtractor<OAuth2AccessToken> getResponseExtractor() {
        return new ImplicitResponseExtractor();
    }

    private HttpHeaders getHeadersForTokenRequest(AccessTokenRequest request) {
        HttpHeaders headers = new HttpHeaders();
        headers.putAll(request.getHeaders());
        if (request.getCookie() != null) {
            headers.set("Cookie", request.getCookie());
        }
        return headers;
    }

    private MultiValueMap<String, String> getParametersForTokenRequest(ImplicitResourceDetails resource, AccessTokenRequest request) {
        MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
        form.set("response_type", "token");
        form.set("client_id", resource.getClientId());

        if (resource.isScoped()) {

            StringBuilder builder = new StringBuilder();
            List<String> scope = resource.getScope();

            if (scope != null) {
                Iterator<String> scopeIt = scope.iterator();
                while (scopeIt.hasNext()) {
                    builder.append(scopeIt.next());
                    if (scopeIt.hasNext()) {
                        builder.append(' ');
                    }
                }
            }

            form.set("scope", builder.toString());
        }

        for (String key : request.keySet()) {
            form.put(key, request.get(key));
        }

        String redirectUri = resource.getRedirectUri(request);
        if (redirectUri == null) {
            throw new IllegalStateException("No redirect URI available in request");
        }
        form.set("redirect_uri", redirectUri);

        return form;

    }

    private final class ImplicitResponseExtractor implements ResponseExtractor<OAuth2AccessToken> {
        public OAuth2AccessToken extractData(ClientHttpResponse response) throws IOException {
            // TODO: this should actually be a 401 if the request asked for JSON
            URI location = response.getHeaders().getLocation();
            if (location == null) {
                return null;
            }
            String fragment = location.getFragment();
            OAuth2AccessToken accessToken = DefaultOAuth2AccessToken.valueOf(OAuth2Utils.extractMap(fragment));
            if (accessToken.getValue() == null) {
                throw new UserRedirectRequiredException(location.toString(), Collections.<String, String>emptyMap());
            }

            return accessToken;
        }
    }

}
